##
## 0wnboot.S
##
## Created by Will Strafach on 1/24/09.
## Copyright 2009 Chronic Dev. All rights reserved.
##
## this will patch a 2.1.1. if you understand the patches then they can easily
## be interchanged in this source for any other firmware version iboot / ibec / ibss.
##
## NOTE: this is not to be used in any type commercial product whatsoever. you may not even a byte from it for any kind of
## commercial products. products include but are in no way limited to: cheap chinese dongles, iPhoneUnlockUK-alike websites
## that sell stuff that is available for free, and others. If you are from Datel, you are not even allowed to look at the
## following code, so just go away if you are. seriously, go away. even if it is not for pay, you are not allowed to take
## any of this code and throw it into a half baked app and say you made a jailbreak. however, you may use it in a program
## that is 100% free and the following people are creditted:
## AriX, chronic, ius, lilstevie, OPK, pod2g, and westbaer (iPod 2G devel team)
##
## NOTE 2: run "arm7_stop" after using "arm7_go" to run this, or you may encounter issues with being able to write to
## 0x09000000
##

_start:
	BL DoPatches
	#BL PatchCmdHandlers - ramdisks won't boot if enabled :(
	#BL AddTestCmd - ramdisks won't boot if enabled :(
	#BL AddKbagCmd - br0ken
	BL AddVBoot
	B spin

DoPatches:
	# patch signature check
	LDR R0, =0x0FF1A132
	LDRH R1, =0x2000
	STRH R1, [R0]
	# patch iboot flags
	LDR R0, =0xFF2ADC0
	LDR R1, =0xFFFFFFFF
	STR R1, [R0]
	MOV PC, LR
	B spin
	
AddVBoot:
	# ramdisks will boot in verbose mode for debugging
	LDR R0, =0x0FF108B8
	LDR R1, =0x22004000
	STR R1, [R0]
	LDR R0, =vBootArgs
	LDR R1, =0x22004000
	MOV R2, #0x2B
	BL memcpy
	MOV PC, LR
	B spin

AddTestCmd:
	LDR R0, =testCmdLabel
	LDR R1, =0x0FF22F28
	MOV R2, #0x9
	BL memcpy
	LDR R0, =testCmdDescription
	LDR R1, =0x22000000
	MOV R2, #0x1E
	BL memcpy
	LDR R0, =testCmdPayload
	LDR R1, =0x22000030
	MOV R2, #632
	BL memcpy
	MOV PC, LR
	B spin

AddKbagCmd:
	LDR R0, =kbagCmdLabel
	LDR R1, =0x0FF1E1DC
	MOV R2, #5
	BL memcpy
	LDR R0, =kbagCmdDescription
	LDR R1, =0x22001000
	MOV R2, #15
	BL memcpy
	LDR R0, =kbagCmdPayload
	LDR R1, =0x22001100
	MOV R2, #28
	BL memcpy
	MOV PC, LR
	B spin

PatchCmdHandlers:
	# 0wnTest code and desc ptr
	LDR R0, =0x0FF25638
	LDR R2, =0x0FF2563C
	LDR R1, =0x22000031
	LDR R3, =0x22000000
	STR R1, [R0]
	STR R3, [R2]
	# kbag code and desc ptr - kbag payload is broken atm, fix later
#	LDR R0, =0x0FF245CC
#	LDR R2, =0x0FF245D0
#	LDR R1, =0x22001100
#	LDR R3, =0x22001000
#	STR R1, [R0]
#	STR R3, [R2]
	MOV PC, LR
	B spin

memcpy:
	# thanks to ius for this memcpy code here
	LDR R3, [R0], #1
	STRB R3, [R1], #1
	SUBS R2, R2, #1
	BNE memcpy
	MOV PC, LR

spin:
	B spin
	
vBootArgs:
	.asciz "rd=md0 nand-enable-reformat=1 -progress -v"

testCmdLabel:
	.asciz "0wnTest"

kbagCmdLabel:
	.asciz "kbag"
	
testCmdDescription:
	.asciz "assure that 0wnboot worked :)"

kbagCmdDescription:
	.asciz "decrypt a kbag"

testCmdPayload:
	.byte 0x80, 0xb5, 0x0, 0xaf, 0x23, 0x4b, 0x1a, 0x68, 0x23, 0x4b, 0x18, 0x1c, 0x0, 0xf0, 0x56, 0xf8, 0x20, 0x4b, 0x1a, 0x68, 0x21, 0x4b, 0x18, 0x1c, 0x0, 0xf0, 0x50, 0xf8, 0x1d, 0x4b, 0x1a, 0x68, 0x1f, 0x4b, 0x18, 0x1c, 0x0, 0xf0, 0x4a, 0xf8, 0x1e, 0x4b, 0x1b, 0x68, 0x1, 0x33, 0x14, 0xd1, 0x18, 0x4b, 0x1a, 0x68, 0x1c, 0x4b, 0x18, 0x1c, 0x0, 0xf0, 0x40, 0xf8, 0x15, 0x4b, 0x1a, 0x68, 0x1a, 0x4b, 0x18, 0x1c, 0x0, 0xf0, 0x3a, 0xf8, 0x19, 0x4b, 0x1b, 0x88, 0x1b, 0x4, 0x1a, 0xc, 0x80, 0x23, 0x9b, 0x1, 0x9a, 0x42, 0x7, 0xd0, 0x13, 0xe0, 0xe, 0x4b, 0x1a, 0x68, 0x15, 0x4b, 0x18, 0x1c, 0x0, 0xf0, 0x2b, 0xf8, 0x12, 0xe0, 0xa, 0x4b, 0x1a, 0x68, 0xe, 0x4b, 0x18, 0x1c, 0x0, 0xf0, 0x24, 0xf8, 0x7, 0x4b, 0x1a, 0x68, 0xf, 0x4b, 0x18, 0x1c, 0x0, 0xf0, 0x1e, 0xf8, 0x5, 0xe0, 0x4, 0x4b, 0x1a, 0x68, 0xb, 0x4b, 0x18, 0x1c, 0x0, 0xf0, 0x17, 0xf8, 0xbd, 0x46, 0x80, 0xbd, 0x0, 0x0, 0xa4, 0x2, 0x0, 0x22, 0xf0, 0x0, 0x0, 0x22, 0x10, 0x1, 0x0, 0x22, 0x34, 0x1, 0x0, 0x22, 0xc0, 0xad, 0xf2, 0xf, 0x54, 0x1, 0x0, 0x22, 0x5c, 0x1, 0x0, 0x22, 0x32, 0xa1, 0xf1, 0xf, 0x80, 0x1, 0x0, 0x22, 0x88, 0x1, 0x0, 0x22, 0x10, 0x47, 0xc0, 0x46, 0x30, 0x77, 0x6e, 0x62, 0x6f, 0x6f, 0x74, 0x20, 0x76, 0x30, 0x2e, 0x35, 0x20, 0x2d, 0x20, 0x30, 0x77, 0x6e, 0x54, 0x65, 0x73, 0x74, 0x20, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x65, 0x72, 0xa, 0x0, 0x43, 0x6f, 0x70, 0x79, 0x72, 0x69, 0x67, 0x68, 0x74, 0x20, 0x28, 0x63, 0x29, 0x20, 0x32, 0x30, 0x30, 0x39, 0x20, 0x63, 0x68, 0x72, 0x6f, 0x6e, 0x69, 0x63, 0x20, 0x64, 0x65, 0x76, 0xa, 0xa, 0x0, 0x0, 0x0, 0x0, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x69, 0x6e, 0x67, 0x20, 0x69, 0x62, 0x6f, 0x6f, 0x74, 0x20, 0x66, 0x6c, 0x61, 0x67, 0x20, 0x70, 0x61, 0x74, 0x63, 0x68, 0x2e, 0x2e, 0x2e, 0x0, 0x0, 0x0, 0x0, 0x67, 0x6f, 0x6f, 0x64, 0x21, 0xa, 0x0, 0x0, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x69, 0x6e, 0x67, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x20, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x20, 0x70, 0x61, 0x74, 0x63, 0x68, 0x2e, 0x2e, 0x2e, 0x0, 0x0, 0x0, 0x66, 0x61, 0x69, 0x6c, 0x2e, 0xa, 0x0, 0x0, 0x70, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x20, 0x77, 0x65, 0x72, 0x65, 0x20, 0x73, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x66, 0x75, 0x6c, 0x21, 0xa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xbd, 0xb5, 0xf1, 0xf
	
kbagCmdPayload:
	.byte 0xf0, 0xb5, 0x1, 0xaf, 0x3, 0x48, 0x20, 0x21, 0x1, 0x22, 0x0, 0x23, 0x0, 0x93, 0x2, 0x4c, 0x20, 0x47, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x39, 0xa7, 0xf0, 0xf
